1

NUSCALE POWER, LLC SAFETY EVALUATION FOR TOPICAL REPORT TR-0815-16497,

REVISION 1, “SAFETY CLASSIFICATION OF PASSIVE NUCLEAR POWER PLANT ELECTRICAL SYSTEMS”

(CAC. NO. RQ6002) 1.0 Introduction By letter dated October 29, 2015 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML15306A263), NuScale Power, LLC (the applicant or NuScale), submitted Topical Report (TR)-0815-16497, Revision 0, “Safety Classification of Passive Nuclear Power Plant Electrical Systems.” By letter dated February 7, 2017, NuScale submitted Revision 1 to TR-0815-16497 in proprietary (-P) and nonproprietary (-NP) versions (letter and -NP version available at ADAMS Accession No. ML17048A459). Section 1.1, “Purpose,” of TR-0815-16497-NP, Revision 1, states the purpose of the submittal and describes the review and approval that the applicant seeks from the U.S. Nuclear Regulatory Commission (NRC or Commission) staff, as follows:

The purpose of this topical report is to request Nuclear Regulatory Commission (NRC) review and approval of what are termed herein as “conditions of applicability,” and the methodology and bases used in their development. The conditions of applicability comprise a set of passive reactor plant design and operational attributes that, if met in full by a reactor design or license applicant, justify the applicant’s determination that none of the plant electrical systems fulfill functions that, per the regulatory definitions of “safety-related” and “Class 1E,” would warrant a Class 1E classification. The conditions of applicability are presented in Table 3-1, “Conditions of applicability.” This topical report also seeks NRC review and approval of augmented design, qualification, and quality assurance (QA) provisions that are an extension of the conditions of applicability (via Item II.1 of Table 3-1). The augmented provisions are described in Table 3-2. For reasons detailed in Section 3.2, these augmented design, qualification, and QA provisions would be applied as minimum requirements to electrical systems that have been determined to be nonsafety-related but yet are essential to the post-accident monitoring of Type B and Type C variables. Provided the conditions of applicability are fully satisfied, the approved augmented provisions would represent an acceptable alternative to the portion of Regulatory Guide 1.97, Revision 4 (Reference 4.39), that specifies a Class 1E power source for instrumentation associated with Type B and Type C variables.

Based on its review of the TR, the NRC staff issued requests for additional information (RAIs) via letter dated October 7, 2016 (ADAMS Accession No. ML16281A298); in particular, the RAIs addressed the direct current (dc) equipment and system, postaccident monitoring, and reactor coolant pressure boundary (RCPB) integrity and safe shutdown. In response to these RAIs, NuScale provided supplemental information in a letter dated December 5, 2016 (ADAMS Accession No. ML16340D339).

2

2.0 Regulatory Evaluation The electric power systems for power plants include onsite electrical power systems providing alternating current (ac) power and dc power. Institute of Electrical and Electronics Engineers (IEEE) Standard (Std.) 323-1974, “IEEE Standard for Qualifying Class IE Equipment for Nuclear Power Generating Stations,” refers to safety-related electrical equipment as “Class 1E” equipment. As defined therein, the safety-related or “Class 1E” classification is the safety classification of the electrical equipment and systems that are essential to emergency reactor shutdown, containment isolation, reactor core cooling, and containment and reactor heat removal, or otherwise are essential in preventing a significant release of radioactive material to the environment. As used in IEEE Std. 323-1974, Class 1E equipment includes appropriate interfaces. If a reactor was designed so that no electrical equipment was “essential” such that it met the definition of Class 1E (i.e., the reactor plant design did not include safety-related equipment dependent on electric power), then the design would not require Class 1E ac or dc power systems. Where no Class 1E equipment is used, the basic requirements for qualifying Class 1E equipment and interfaces, which are provided in IEEE Std. 323-1974, are inapplicable. In TR-0815-16497, NuScale provided a method to justify that the plant electric power supplies need not be classified as Class 1E. In TR Section 3.1, “Methodology Used to Develop Conditions of Applicability,” the applicant stated that “the application of augmented provisions is consistent with the process established in the NRC regulatory framework for ‘special treatment’ of nonsafety-related SSCs that are determined to have risk-significance.” In TR Table 3-2, “Augmented Design, Qualification, and Quality Assurance Provisions,” the applicant listed the regulatory requirements and guidance documents that a future passive plant applicant would need to apply or consider for the augmented design, qualification, and QA provisions of the non-Class 1E electrical systems—termed the “highly reliable DC electrical system(s)”—for powering the postaccident monitoring instrumentation for Type B and Type C variables and for the plant emergency lighting systems. The NRC staff evaluated the conditions of applicability in TR Table 3-1, “Conditions of Applicability,” by first identifying the design-basis information, as defined in Title 10 of the Code of Federal Regulations (10 CFR) 50.2, “Definitions.” As defined in 10 CFR 50.2, “design basis” means that information that identifies the specific functions to be performed by an SSC of a facility, and the specific values or ranges of values chosen for controlling parameters as reference bounds for design. The staff then ensured that Table 3-1 addressed these specific functions by the conditions of applicability. In accordance with 10 CFR 52.47(a)(3), an application for a design certification must include the design of the facility, including the following:

(i) The principal design criteria for the facility. Appendix A to 10 CFR part 50, general design criteria (GDC), establishes minimum requirements for the principal design criteria for water-cooled nuclear power plants similar in design and location to plants for which construction permits have

3

previously been issued by the Commission and provides guidance to applicants in establishing principal design criteria for other types of nuclear power units;

(ii) The design bases and the relation of the design bases to the principal

design criteria; (iii) Information relative to materials of construction, general arrangement,

and approximate dimensions, sufficient to provide reasonable assurance that the design will conform to the design bases with an adequate margin for safety;

The staff’s review considered if the design would meet the following minimum requirements in Appendix A, “General Design Criteria for Nuclear Power Plants,” to 10 CFR Part 50, “Domestic Licensing of Production and Utilization Facilities,” for principal design criteria even if no electrical equipment was classified as Class 1E: • GDC 10, “Reactor Design,” requires that the reactor core and associated coolant,

control, and protection systems be provided with appropriate margin to assure that specified acceptable fuel design limits (SAFDLs) are not exceeded during any condition of normal operation, including the effect of anticipated operational occurrences (AOOs).

• GDC 13, “Instrumentation and Control,” requires, in part, that the applicant provide

instrumentation to monitor variables and systems over their anticipated ranges for normal operation, AOOs, and accident conditions as appropriate to assure adequate safety.

• GDC 15, “Reactor Coolant System Design,” requires that the reactor coolant system and

associated auxiliary, control, and protection systems be designed with sufficient margin to assure that the design conditions of the RCPB are not exceeded during any condition of normal operation, including AOOs.

• GDC 16, “Containment Design,” requires that the reactor containment and associated

systems shall be provided to establish an essentially leak-tight barrier against the uncontrolled release of radioactivity to the environment and to assure that the containment design conditions important to safety are not exceeded for as long as postulated accident conditions require.

• GDC 19, “Control Room,” requires, in part, that a control room shall be provided from

which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including loss-of-coolant accidents (LOCAs).

• GDC 20, “Protection System Functions,” requires, in part, that the protection system be

designed to automatically initiate the operation of appropriate systems, including the reactivity control systems, to assure that SAFDLs are not exceeded as a result of AOOs.

4

• GDC 26, “Reactivity Control System Redundancy and Capability,” requires, in part, that the control rods be capable of reliably controlling reactivity changes to assure that SAFDLs are not exceeded under conditions of normal operation, including AOOs, and with appropriate margin for stuck rods.

• GDC 27, “Combined Reactivity Control Systems Capability,” requires that the reactivity

control systems be designed to have a combined capability, in conjunction with poison addition by the emergency core cooling system (ECCS), of reliably controlling reactivity changes to assure that the capability to cool the core is maintained under postulated accident conditions and with appropriate margin for stuck rods.

• GDC 34, “Residual Heat Removal,” requires, in part, that a residual heat removal system

be provided. The system safety function shall be to transfer fission product decay heat and other residual heat from the reactor core at a rate such that SAFDLs and the design conditions of the RCPB are not exceeded.

• GDC 35, “Emergency Core Cooling,” requires, in part, that a system to provide abundant

core cooling be provided. The system safety function shall be to transfer heat from the reactor core following any loss of reactor coolant at a rate such that (1) fuel and clad damage that could interfere with continued effective core cooling is prevented and (2) clad metal-water reaction is limited to negligible amounts.

• GDC 38, “Containment Heat Removal,” requires, in part, the provision of a system to

remove heat from the reactor containment. The system safety function shall be to rapidly reduce, consistent with the functioning of other associated systems, the containment pressure and temperature following any LOCA and to maintain them at acceptably low levels.

• GDC 41, “Containment Atmosphere Cleanup,” requires, in part, systems to control

fission products, hydrogen, oxygen, and other substances that may be released into the reactor containment as necessary to reduce, consistent with the functioning of other associated systems, the concentration and quality of fission products released to the environment following postulated accidents and to control the concentration of hydrogen or oxygen and other substances in the containment atmosphere following postulated accidents to assure that containment integrity is maintained.

• GDC 50, “Containment Design Basis,” requires, in part, that the reactor containment

structure, including access openings, penetrations, and the containment heat removal system, shall be designed so that the containment structure and its internal compartments can accommodate, without exceeding the design leakage rate and with sufficient margin, the calculated pressure and temperature conditions resulting from any LOCA.

• GDC 54, “Piping Systems Penetrating Containment,” requires, in part, that piping

systems penetrating primary reactor containment shall be provided with leak detection, isolation, and containment capabilities that have redundancy, reliability, and performance capabilities that reflect the importance to safety of isolating these piping systems.

5

• GDC 55, “Reactor Coolant Pressure Boundary Penetrating Containment,” requires, in part, that each line that is part of the RCPB and that penetrates primary reactor containment shall be provided with containment isolation valves.

• GDC 56, “Primary Containment Isolation,” requires, in part, that each line that connects

directly to the containment atmosphere and penetrates the primary reactor containment shall be provided with containment isolation valves.

• GDC 57, “Closed System Isolation Valves,” requires each line that penetrates primary

reactor containment and is neither part of the RCPB nor connected directly to the containment atmosphere to have at least one containment isolation valve that shall be either automatic or locked closed, or capable of remote manual operation. This valve shall be outside containment and located as close to the containment as practical. A simple check valve may not be used as the automatic isolation valve.

• GDC 61, “Fuel Storage and Handling and Radioactivity Control,” requires, in part, that

fuel storage and handling, radioactive waste, and other systems that may contain radioactivity be designed to assure adequate safety under normal and postulated accident conditions. This criterion specifies that such systems shall be designed to include appropriate containment, confinement, and filtering systems.

• GDC 63, “Monitoring Fuel and Waste Storage,” requires, in part, appropriate systems in

fuel storage and radioactive waste systems and handling areas to detect conditions that may cause a loss of residual heat removal capability and excessive radiation levels and to initiate appropriate safety actions.

• GDC 64, “Monitoring Radioactive Releases,” requires, in part, the means for monitoring

the reactor containment atmosphere, spaces containing components for recirculation of LOCA fluids, effluent discharge paths, and the plant environs for radioactivity that may be released as a result of postulated accidents.

The NRC staff also determined that the following regulatory requirements and guidance documents are applicable to the review of this TR:

• In accordance with the requirements in 10 CFR 52.47(a)(8), an application for a design

certification must include the information necessary to demonstrate compliance with any technically relevant portions of the Three Mile Island requirements set forth in 10 CFR 50.34(f), 10 CFR 50.34(f)(1)(xii), (f)(2)(ix), and (f)(3)(v). In turn, 10 CFR 50.34(f)(2) states that to satisfy the requirements in 10 CFR 50.34(f)(2)(i)–(xxviii), the application shall provide sufficient information to demonstrate that the required actions will be satisfactorily completed by the operating license stage. Those required actions under 10 CFR 50.34(f)(2) include the following:

(viii) Provide a capability to promptly obtain and analyze samples from

the reactor coolant system and containment that may contain accident source term radioactive materials without radiation exposures to any individual exceeding 5 rems to the whole body or 50 rems to the extremities. Materials to be analyzed and

6

quantified include certain radionuclides that are indicators of the degree of core damage (e.g., noble gases, radioiodines and cesium, and nonvolatile isotopes), hydrogen in the containment atmosphere, dissolved gases, chloride, and boron concentrations.

(xvii) Provide instrumentation to measure, record and readout in the

control room: (A) containment pressure, (B) containment water level, (C) containment hydrogen concentration, (D) containment radiation intensity (high level), and (E) noble gas effluents at all potential, accident release points. Provide for continuous sampling of radioactive iodines and particulates in gaseous effluents from all potential accident release points, and for onsite capability to analyze and measure these samples.

(xix) Provide instrumentation adequate for monitoring plant conditions

following an accident that includes core damage. (xx) Provide power supplies for pressurizer relief valves, block valves,

and level indicators such that: (A) Level indicators are powered from vital buses; (B) motive and control power connections to the emergency power sources are through devices qualified in accordance with requirements applicable to systems important to safety; and (C) electric power is provided from emergency power sources. (Applicable to PWR's only.)

• In accordance with the requirements in 10 CFR 52.47(a)(12), an application for a design

certification must include an analysis and description of the equipment and systems for combustible gas control as required in 10 CFR 50.44, “Combustible Gas Control for Nuclear Power Reactors.” In turn, 10 CFR 50.44 requires, in part, that an applicant must perform an analysis that demonstrates containment structural integrity. The analysis must address an accident that releases hydrogen generated from a 100-percent fuel clad-coolant reaction accompanied by the hydrogen burning. The applicant must demonstrate that systems necessary to ensure containment integrity are able to perform their function under these conditions.

• In accordance with the requirements in 10 CFR 52.47(a)(4), an application for a design

certification must include an analysis and evaluation of the design and performance of structures, systems, and components (SSCs) with the objective of assessing the risk to public health and safety resulting from operation of the facility and including determination of the margins of safety during normal operations and transient conditions anticipated during the life of the facility, and the adequacy of SSCs provided for the prevention of accidents and the mitigation of the consequences of accidents. The applicant shall perform analysis and evaluation of ECCS cooling performance and the need for high-point vents following postulated LOCA in accordance with the requirements in 10 CFR 50.46, “Acceptance Criteria for Emergency Core Cooling Systems for Light-Water Nuclear Power Reactors,” and 10 CFR 50.46a, “Acceptance Criteria for Reactor Coolant System Venting Systems.” In turn, 10 CFR 50.46 sets forth

7

acceptance criteria for ECCS for light-water nuclear power reactors, and 10 CFR 50.46a sets forth acceptance criteria for reactor coolant system venting systems.

• In accordance with the requirements in 10 CFR 50.55a(h)(3), an application for design

certification must meet the requirements for safety systems in IEEE Std. 603-1991, “IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations,” and the correction sheet dated January 30, 1995.

• In accordance with the requirements in 10 CFR 52.47(a)(16), an application for a design

certification must include a coping analysis, and any design features necessary to address station blackout, as required in 10 CFR 50.63, “Loss of All Alternating Current Power.” In turn, 10 CFR 50.63(a)(1) requires that each design for a light-water-cooled nuclear power plant approved under a standard design certification must be able to withstand a station blackout for a specified duration and recover from a station blackout, as defined in 10 CFR 50.2. The specified station blackout duration shall be based on the following factors: − the redundancy of the onsite emergency ac power sources − the reliability of the onsite emergency ac power sources − the expected frequency of loss of offsite power − the probable time needed to restore offsite power The requirements in 10 CFR 50.63(a)(2) state that the reactor core and associated coolant, control, and protection systems, including station batteries and any other necessary support systems, must provide sufficient capacity and capability to ensure that the core is cooled and appropriate containment integrity is maintained in the event of a station blackout for the specified duration. The capability for coping with a station blackout of specified duration shall be determined by an appropriate coping analysis. Applicants are expected to have the baseline assumptions, analyses, and related information used in their coping evaluations available for NRC review. In accordance with the requirements in 10 CFR 52.47(a)(2), an application for standard design certification for nuclear power reactors shall present a safety analysis of the facility design in terms of site parameters postulated for the design. Specifically, 10 CFR 52.47(a)(2)(iv) requires that an analysis of the radiological consequences of postulated accidents include the following:

The safety features that are to be engineered into the facility and those barriers that must be breached as a result of an accident before a release of radioactive material to the environment can occur. Special attention must be directed to plant design features intended to mitigate the radiological consequences of accidents. In performing this assessment, an applicant shall assume a fission product release from the core into the containment assuming that the facility is operated at the ultimate power level contemplated. The applicant shall perform an evaluation and analysis of the postulated fission product release, using the expected demonstrable containment leak rate and any fission product cleanup systems intended to mitigate the consequences of the accidents, together

8

with applicable postulated site parameters, including site meteorology, to evaluate the offsite radiological consequences. The evaluation must determine that: (A) An individual located at any point on the boundary of the exclusion area for any 2-hour period following the onset of the postulated fission product release, would not receive a radiation dose in excess of 25 rem total effective dose equivalent (TEDE); (B) An individual located at any point on the outer boundary of the low population zone, who is exposed to the radioactive cloud resulting from the postulated fission product release (during the entire period of its passage) would not receive a radiation dose in excess of 25 rem TEDE.

Applications for combined licenses (COLs), construction permits, and operating licenses that reference the subject TR have similar requirements to evaluate the radiological consequences of postulated accidents in accordance with 10 CFR 52.79(a)(1)(vi) and 10 CFR 50.34(a)(1). The siting requirements in 10 CFR 100.21, “Non-Seismic Site Criteria,” also reference the criteria in 10 CFR 50.34(a)(1).

• In accordance with the requirements in 10 CFR 52.47(a)(2)(iii), as part of its review of an

application for a design certification, the Commission will consider the extent to which the reactor incorporates unique, unusual, or enhanced safety features having a significant bearing on the probability or consequences of accidental release of radioactive materials.

• As discussed in 10 CFR Part 50, Appendix E, “Emergency Planning and Preparedness

for Production and Utilization Facilities,” Section VI, “Emergency Response Data System,” the Emergency Response Data System (ERDS) is a direct near real-time electronic data link between the applicant's onsite computer system and the NRC Operations Center that provides for the automated transmission of a limited data set of selected parameters. While it is recognized that ERDS is not a safety system, it is conceivable that an applicant's ERDS interface could communicate with a safety system, and thus would require appropriate isolation devices at these interfaces. Section VI.2.a.(i) of Appendix E requires, for pressurized-water reactors (PWRs), that the selected plant parameters to be transmitted include those from radiation monitoring systems (i.e., reactor coolant radioactivity, containment radiation level, condenser air removal radiation level, effluent radiation monitors, and process radiation monitor levels).

• Regulatory Guide (RG) 1.97, Revision 4, “Criteria for Accident Monitoring

Instrumentation for Nuclear Power Plants,” issued June 2006, describes a method that the NRC staff considers acceptable for use in complying with the agency’s regulations with respect to satisfying criteria for accident monitoring instrumentation in nuclear power plants. Specifically, the method described RG 1.97 relates to GDC 13, 19, and 64. RG 1.97 endorses (with certain clarifying regulatory positions specified in Section C of the RG) IEEE Std. 497-2002, “IEEE Standard Criteria for Accident Monitoring Instrumentation for Nuclear Power Generating Stations.”

9

• NUREG-0800, “Standard Review Plan for the Review of Safety Analysis Reports: LWR Edition,” Branch Technical Position 7-10, “Guidance on Application of Regulatory Guide 1.97,” Revision 6, issued August 2016, provides additional guidelines for reviewing an applicant’s accident monitoring instrumentation. SECY-94-084, “Policy and Technical Issues Associated with the Regulatory Treatment of Non-safety Systems in Passive Plant Designs,” dated March 28, 1994 (ADAMS Accession No. ML003708068), presented the Commission with recommended positions pertaining to policy and technical issues affecting passive advanced light-water reactor (ALWR) designs and requested that the Commission approve certain staff positions stated in the SECY, including the Electric Power Research Institute’s proposed alternative to the cold-shutdown condition called for by RG 1.139, “Guidance for Residual Heat Removal,” as a safe, stable condition that the passive decay heat removal systems must be capable of achieving and maintaining following non-LOCA events. This recommendation was predicated on an acceptable passive safety system performance and an acceptable resolution of the issue of regulatory treatment of nonsafety systems. In its staff requirements memorandum (SRM) on SECY-94-084, “Policy and Technical Issues Associated with the Regulatory Treatment of Non-Safety Systems,” and COMSECY-94-024, “Implementation of Design Certification and Light-Water Reactor Design Issues,” dated June 30, 1994, the Commission, among other things, approved the staff's recommendation on this item. In doing so, the Commission stated that, with respect to the 72-hour capacity of the passive residual heat removal system water pool, the requirements for replenishing the water in the pool should be based on design-specific attributes, and the applicant’s justification of these requirements should not be based solely on the 72-hour criterion of the utility requirement document. Further, the Commission stated that the staff should be receptive to arguments for longer periods if technically justified. On May 22, 1995, the staff issued SECY-95-132, “Policy and Technical Issues Associated with the Regulatory Treatment of Non-Safety Systems (RTNSS) in Passive Plant Designs” (ADAMS Accession No. ML003708005), in response to SRM-SECY-94-084 and presented a corresponding revision of SECY-94-084 for Commission review and approval. On June 28, 1995, the Commission approved the staff’s recommendations in SECY-95-132 (ADAMS Accession No. ML003708019).

3.0 Staff Evaluation TR Section 1.2, “Scope,” gives the scope of review specific to the safety classification of plant electrical systems for which the conditions of applicability and augmented provisions apply, as follows: • offsite and onsite ac electrical power systems • onsite dc electrical power systems.

In the TR, NuScale stated that the above scope does not include instrumentation and control equipment and circuits, which include both Class 1E and non-Class 1E systems, that serve to monitor and control power to and operation of safety-related and nonsafety-related loads.

10

The TR contains four appendices that describe the methodology and procedures to be applied to an example power system design to ensure that a dc power system design can be “highly reliable”: (1) Appendix A, “Example Overview of Electrical Systems and Instrumentation and Control

(I&C) Systems Design,” gives an overall description of an onsite power system that could serve a passive plant design that meets the conditions of applicability. In addition, Appendix A includes a set of typical one-line diagrams to facilitate an overall understanding of the concepts as applied to a passive plant electrical system.

(2) Appendix B, “Example Safety Classification Assessment for Electrical Systems,” describes how a hypothetical complete loss of all electric power (both ac and dc) would affect the various safety functions and explains how the applicant can satisfy the attributes of the conditions of applicability. However, Appendix B does not describe how the requirements of 10 CFR Part 50, Appendix E, Section VI.2.a.(i); 10 CFR 50.34(f)(2)(viii); or 10 CFR 50.34(f)(2)(xvii) would be met.

(3) Appendix C, “Example Failure Modes and Effects Analysis—Highly Reliable DC Power System,” provides an example failure modes and effects analysis of the example onsite dc power system described in Appendix A. The effects of failure modes and mechanisms for components in the example analysis establish that no single failure exists that could prevent safety-related functions from being achieved and maintained.

(4) Appendix D, “Example Safety Analysis Results,” provides example safety analysis results of a passive plant that has the design attributes described in Appendices A and B. The analysis shows that, in each postulated design-basis event (DBE) analyzed, none of the systems credited for mitigating the event requires electric power or operator action.

TR Section 1.2 states the following:

The information provided in the appendices is provided to facilitate: (1) the NRC’s review of the conditions of applicability and augmented provisions for which approval is sought; and (2) an understanding of how this topical report would be implemented by future applicants (including NuScale). As part of the scope of this topical report, NuScale is not seeking NRC approval of the information in the appendices. Information is provided in this report to demonstrate applicability of the methodology and to aid the reader’s understanding of the application of these methodologies.

NuScale TR further stated that its design certification application (DCA) will present the final design information and will confirm that the final design meets the conditions of applicability described in TR Table 3-1, which lists the attributes to be satisfied as conditions of applicability. The TR Table 3-1 has two sections: (1) Section I contains the specific conditions that, if fully met, would adequately justify that

no Class 1E electrical supply systems (power sources) are required.

11

(2) Section II contains additional conditions to be applied (after meeting Section I). TR Table 3-1, Section II, requires augmented design, qualification, and QA provisions. The provisions in Table 3-2 are the minimum requirements to be applied to non-Class 1E electrical systems (termed as “highly reliable DC electrical system(s)”) that will be used to power postaccident monitoring instrumentation for Type B and Type C variables and to power the plant emergency lighting system. If a passive nuclear plant can meet all the conditions listed in Table 3-1 without the need for any electrical power, Class 1E ac or dc power supply systems may not be necessary. This is subject to satisfying the capability

The NRC staff review of the information in the appendices does not constitute approval of the information in the appendices. Therefore, the NRC staff limited its review to the main body of the TR and focused on the design criteria considered in the conditions of applicability, not an actual design. Concept of “Highly Reliable” Non-Class 1E Direct Current System With regard to a fully non-Class 1E dc power system for a completely passive nuclear power plant design, the NRC staff was concerned whether the dc power system would have high reliability. More specifically, the NRC staff was concerned that the valve-regulated, lead-acid (VRLA) battery life could be seriously and suddenly reduced by exposure to prolonged periods of high temperatures, the magnitude and frequency of discharge cycles, or overcharging. The NRC staff devised a three-pronged review approach (i.e., performance, QA, and quantification) to determine the relative reliability of the conceptual dc power system design (presented in TR Appendix A) compared to a Class 1E dc power system. To date, conventional large light-water nuclear power plants have not used VRLA batteries for onsite power. Therefore, the NRC staff requested information on battery life, QA, performance, qualification, and reliability. RAI 08.03.02-01 In a letter dated December 5, 2016 (ADAMS Accession No. ML16340D339), NuScale acknowledged the NRC staff’s concerns with VRLA battery life and stated that these effects can be mitigated by following the recommendations in IEEE Std. 1187-2013, “IEEE Recommended Practice for Installation Design and Installation of Valve-Regulated Lead-Acid Batteries for Stationary Applications,” and IEEE Std. 1188-2005 (R2010), “IEEE Recommended Practice for Maintenance, Testing, and Replacement of Valve-Regulated Lead-Acid (VRLA) Batteries for Stationary Applications,” as noted in TR Table 3-2. Additionally, IEEE Std. 1187-2013 refers to IEEE Std. 1491-2012, “IEEE Guide for Selection and Use of Battery Monitoring Equipment in Stationary Applications,” and IEEE Std. 1635-2012, “IEEE/ASHRAE Guide for the Ventilation and Thermal Management of Batteries for Stationary Applications.”

In addition to the use of the industry standard procedures mentioned above for design, testing, and implementation of the VRLA battery-powered dc system, the applicant stated the following:

12

• The backup power supply system delivers backup power to heating, ventilation, and air conditioning systems serving the battery and associated charger rooms to avoid prolonged periods of high ambient temperature.

• For design consideration for magnitude and frequency of discharge cycle related

monitoring, the applicant will follow the guidance in IEEE Std. 1187-2013, IEEE Std. 1188-2005, and specifically IEEE Std. 1491-2012, which provides criteria to detect and monitor a battery for degradation.

• Following the guidance in IEEE Std. 1187-2013, as supplemented by IEEE

Std. 1491-2012, provides reasonable assurance that the VRLA batteries will not be overcharged and that instances of potential overcharging will be detected before degrading a battery to a point where it is not able to perform its intended function.

The electrical power system presented in TR Appendix A depicts an onsite power system design with no Class 1E power sources, assuming the reactor design does not require any safety-related electrical loads to support the safety analyses. The NRC staff reviewed the RAI response and determined that the use of VRLA batteries in a nonsafety dc power system design for a passive nuclear power plant, construction and monitoring will follow the guidance in IEEE Std. 1187-2013 and IEEE Std. 1188-2005, as supplemented by IEEE Std. 1491-2012 and IEEE Std. 1635-2012. These IEEE standards provide widely established industry guidance for design, testing, and performance of VRLA batteries. The NRC staff determined that, based on the IEEE standards mentioned above, the design will give reasonable assurance that a dc power system that uses a VRLA battery will not be exposed to prolonged periods of high temperatures, will be monitored for potential overcharging, and will be monitored for magnitude and frequency of discharge cycles that may degrade the battery performance. For the reasons discussed above, the NRC staff concludes that, for a nonsafety dc system that uses VRLA batteries, the applicant’s response gives reasonable assurance that the dc system will be monitored for degradation and the use of VRLA batteries will not adversely affect the dc system’s intended function. The NRC staff asked the applicant to include its response to RAI 08.03.02-01 in the next revision of the TR. In Revision 1 to the TR, the applicant included the applicable year for the following IEEE standards as requested in the RAI: IEEE Std. 1491-2012 and IEEE Std. 1635-2012. This action satisfies the NRC staff’s request. RAI 08.03.02-02 In TR Table 3-2, NuScale stated that a graded QA program will be applied to the dc electrical system that will meet or exceed the augmented QA guidance in Appendix A, “Quality Assurance Guidance for Non-Safety Systems and Equipment,” to RG 1.155, “Station Blackout.” The NRC staff asked NuScale to describe the proposed QA program in sufficient detail to enable the NRC staff to verify whether it meets or exceeds the guidance in RG 1.155.

13

In its December 5, 2016, response to RAI 08.03.02-02, NuScale stated that a COL applicant that references TR-0815-16487 will be required to follow the guidance in RG 1.155, Appendix A. The NRC staff finds NuScale’s response reasonable. The NRC staff has placed Condition 4.1 in Section 4.0 of this safety evaluation to ensure that all future applicants that reference TR-0815-16497 address the guidance in RG 1.155, Appendix A, in sufficient detail to verify whether the relevant QA program would meet or exceed the guidance in RG 1.155. RAI 08.03.02-03 In TR Table 3-2, under “Batteries,” NuScale stated that the VRLA batteries have augmented design, QA, and qualification provisions. The NRC staff asked NuScale to describe the methods and processes that a passive reactor nuclear power plant will use to verify that VRLA batteries will perform their intended functions during normal operation, AOOs, and postulated DBEs. In its response dated December 5, 2016 (ADAMS Accession No. ML16340D339), NuScale stated that the VRLA batteries used in a passive reactor nuclear power plant design are not credited for use in mitigating the consequences of postulated DBEs. NuScale also stated that an applicant using this TR shall implement a testing and monitoring program, as described in IEEE Std. 1188-2005 and IEEE Std. 1491-2012, to ensure that VRLA batteries will perform their intended functions when called upon. These standards provide for a wide variety of operating parameters to be monitored on a continuous basis, including cell-specific parameters. Furthermore, NuScale stated that applicants would be required to environmentally qualify their VRLA batteries in accordance with IEEE Std. 323-1974, as appropriate, and IEEE Std. 323-2003, “IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations,” and to seismically qualify their batteries in accordance with IEEE Std. 344-2004, “IEEE Recommended Practice for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations,” as appropriate, to give further assurance that the batteries will perform their intended functions. The NRC staff also asked NuScale to identify the industry standards or applicable references that will be used for verification purposes. NuScale identified the following industry standards: • IEEE Std. 323-1974, as endorsed by RG 1.89, “Environmental Qualification of Certain

Electric Equipment Important to Safety for Nuclear Power Plants,” for harsh environments

• IEEE Std. 323-2003 for mild environments

• IEEE Std. 344-2004, as endorsed by RG 1.100, “Seismic Qualification of Electric and Mechanical Equipment for Nuclear Power Plants”

• IEEE Std. 1188-2005

• IEEE Std. 1491-2012

14

The NRC staff reviewed the applicant’s response to RAI 08.03.02-03 and determined that the design of the VRLA batteries used as a non-Class 1E dc power source in a passive reactor nuclear power plant design, in accordance with the widely accepted industry practices IEEE Std. 1188-2005 and IEEE Std. 1491-2012 for testing and monitoring; IEEE Std. 323-1974, as appropriate, and IEEE Std. 323-2003, as appropriate, for environmental qualification; and IEEE Std. 344-2004 for seismic qualification provide reasonable assurance that the VRLA batteries will perform their intended functions. The NRC staff concludes that NuScale’s response is acceptable with regard to the methods and processes used to verify that the VRLA batteries will perform as intended. The TR states that the VRLA batteries will be seismic Category 1; therefore, an applicant using the TR shall provide a qualification testing plan that includes an environmental and seismic qualification, and also a technical functional requirement for the VRLA batteries to provide reasonable assurance that VRLA batteries will perform their intended functions. For this reason, the NRC staff has established Condition 4.2 on the TR for the applicant to confirm that the VRLA batteries and their structures are seismic Category 1. To give reasonable assurance that the VRLA batteries will perform as intended, the applicant that references the TR must provide a COL action item to support that the VRLA batteries and their structures are seismic Category 1. RAI 08.03.02-04 In the TR, NuScale described its dc power system as “highly reliable” and substantially equal in reliability to that of an analogous Class 1E dc power system. However, the TR did not fully justify these statements. Therefore, to complete its review, the NRC staff asked the applicant to provide additional quantitative information. Specifically, the NRC staff asked the applicant to describe the methodology that it will use to compare the highly reliable dc system that it will describe in its DCA to a Class 1E dc power system to show that the highly reliable dc system is substantially equal in reliability to a typical Class 1E dc power system. NuScale provided a two-part response. The first part describes the methodology in the TR that design certification applicants would use to perform a quantitative analysis. This methodology comprises the following five steps needed to compare the reliability of the highly reliable dc system to that of a typical Class 1E dc power system: (1) (2)

(3)

(4)

15

(5)

The second part of NuScale’s response gave the results of its comparative analysis using the above methodology. NuScale indicated that its results were favorable in that the augmented non-Class 1E design indicated a reliability greater than that of the Class 1E design. In its response, NuScale further concluded that amending the TR to include the methodology presented is not necessary. NuScale and the NRC staff held a conference call on January 6, 2017, to address the RAIs. First, the staff asked for clarification on whether NuScale’s referenced probabilistic risk analysis (PRA) model included common-cause failures among each of the two-battery-in-parallel configurations. NuScale stated that the model included common-cause failure of the two-battery configurations. The concern was that any battery operating in parallel could experience certain common-cause events. Any further questions on PRA methodology would be part of the PRA review of the referencing DCA or COL application. Second, the NRC staff requested clarification about the statement at the end of the response that the response does not require a revision to the licensing document (i.e., TR-0815-16497). The NRC staff questioned this statement because TR-0815-16497 is a methodology document and the response to RAI 08.03.02-04 provides additional methodology necessary for use of the TR by any applicant referencing it. NuScale added this methodology to Table 3-1, Section II, of Revision 1 to the TR. This action satisfies the NRC staff’s request. Based on the review of this response, the NRC staff concludes that the five-step process outlined in the applicant’s response provides an acceptable approach for demonstrating the relative reliability of a non-Class 1E system with that of an analogous Class 1E system. 3.1 Postaccident Monitoring The primary purpose of postaccident monitoring instrumentation is to display plant variables that provide information required by the control room operator during and after an accident. GDC 13, GDC 19, GDC 64, 10 CFR 50.34(f)(2)(xix), 10 CFR 50.34(f)(2)(xx), and 10 CFR 50.55a(h) contain regulatory requirements governing postaccident monitoring instrumentation. The NRC provides the primary guidance for implementing these regulatory requirements in RG 1.97, which describes a method acceptable to the NRC staff for complying with the Commission’s regulations to provide instrumentation for monitoring plant variables and systems during and after an accident. RG 1.97, which endorses IEEE Std. 497-2002, with certain clarifying regulatory positions specified in Section C of RG 1.97, specifies that a Class 1E electrical system should be provided to supply the instrumentation that monitors Type A, B, and C variables under postaccident conditions. Under 10 CFR 50.34(f)(2)(xx), the NRC requires that electric power for pressurizer level indicators must be powered by vital buses. RG 1.97 defines Type A, B, and C variables as follows:

16

• Type A variables provide the primary information required to allow main control room operators to take manual actions for which no automatic control is provided.

• Type B variables provide primary information to the control room operators to assess the

plant safety functions. • Type C variables provide primary information to the control room operators to indicate

the potential for breach or the actual breach of fission product barriers (e.g., fuel cladding, RCPB, and containment pressure boundary).

During its review, the NRC staff considered whether the safety system design to provide accident monitoring instrumentation would require instrumentation to be powered by a Class 1E electrical system for Type B and C variables. IEEE Std. 603-1991, Clause 5.8.1, “Displays for Manually Controlled Actions,” specifies that monitoring instrumentation be part of the safety systems and meet the requirements of IEEE Std. 497-2002. For monitoring instrumentation used for these operations, IEEE Std. 603-1991 and IEEE Std. 497-2002 specify a Class 1E electrical power supply.

The NRC staff’s evaluation considered the following: • Regulatory requirements in GDC 13, 19, and 64 are applicable to postulated DBEs and

do not specify a Class 1E electrical power supply. Therefore, a Class 1E electrical power supply is not required to meet GDC 13, 19, and 64.

• In accordance with the requirements in 10 CFR 52.47(a)(8), an application for a design certification must include the information necessary to demonstrate compliance with any technically relevant portions of the Three Mile Island requirements as stated in 10 CFR 50.34(f), except for 10 CFR 50.34(f)(1)(xii), (f)(2)(ix), and (f)(3)(v). The requirements in 10 CFR 50.34(f)(2)(xix) call for the design to provide instrumentation adequate for monitoring plant conditions following an accident that includes core damage. This includes core damage that may be more extensive than a postulated DBE. Finally, 10 CFR 50.34(f)(2)(xix) does not specify the quality of the electrical supply; therefore, a Class 1E electrical power supply is not required to meet 10 CFR 50.34(f)(2)(xix).

• In accordance with the requirements in 10 CFR 50.34(f)(2)(xx), which are applicable to PWRs only, the design must provide power supplies for pressurizer relief valves, block valves, and level indicators such that (1) level indicators are powered from vital buses, (2) motive and control power connections to the emergency power sources are through devices qualified in accordance with requirements applicable to systems important to safety, and (3) electric power is provided from emergency power sources. On its face,

17

NUREG- 0737, “Clarification of TMI Action Requirements,” issued November 1980, states that the instrument channels for pressurizer level indication instrument channels shall be powered from the vital instrument buses and does not specify a Class 1E electrical power supply requirement; therefore, a Class 1E electrical power supply is not required to meet 10 CFR 50.34(f)(2)(xix).

• Clause 5.8.2 of IEEE Std. 603-1991 states, in part, that the display instrumentation provided for safety-system status indication need not be part of the safety systems; therefore, a Class 1E electrical power supply is not required to meet Clause 5.8.2 of IEEE Std. 603-1991.

Type B and Type C accident monitoring instrumentation is required to perform its intended function under postulated accident conditions. As such, the reliability of the electrical power supply for these instruments should be substantially similar to that of a Class 1E electrical system (see Section 3.0 of this safety evaluation). In TR Section 3.2.1, the applicant provided an alternative to RG 1.97 that uses a highly reliable dc power system in lieu of a Class 1E electrical system to supply electrical power to the postaccident monitoring instrumentation. When performing this review, the NRC staff considered the electrical system reliability of the highly reliable dc electrical system. The NRC staff established a three-pronged approach to establish whether the highly reliable dc electrical system provides a substantially equal reliability to that of a Class 1E design. The three-pronged approach consisted of (1) evaluation of the augmented design, qualification, and QA provisions, (2) consideration of the rigor of the highly reliable dc power system as demonstrated by the failure modes and effect analysis, and (3) quantification via fault tree analysis to compare the NuScale design with an approved passive PWR dc system design. Section 3.0 of this safety evaluation evaluates the electrical system reliability of the highly reliable dc power system. Based on its evaluation of the electrical system reliability, the staff concluded that the highly reliable dc electrical system provides a substantially equal reliability to that of a Class 1E design; thus, the dc electrical system provides additional assurance that postaccident monitoring capability is maintained during and following a DBE. Based on the NRC staff’s review of the TR and the regulatory requirements governing accident monitoring instrumentation, the staff found that the augmented design, qualification, and QA provisions of the power sources for Type B and Type C variables represent an acceptable alternative to the guidance in RG 1.97.

, the staff has established Condition 4.3 (see Section 4.0 of this safety evaluation) for the applicants referencing this safety evaluation to confirm that operator actions are not necessary to ensure safety-related functions for any postulated DBE (i.e., the design does not include Type A variables as defined in IEEE Std. 497-2002, as modified in RG 1.97, Regulatory Position C.4). Spent Fuel Pool Considerations The spent fuel pool (SFP) has the safety function of maintaining the spent fuel assemblies in a safe and subcritical array during all credible storage conditions. GDC 63 for spent fuel storage facilities requires monitoring systems to (1) detect conditions that may cause the loss of residual

18

heat removal capability and excessive radiation levels and (2) indicate when to take action to initiate appropriate safety actions. In TR Appendix B, Section B.2.2, “Fuel Assembly Cooling—Spent Fuel and Module Core Refueling,” the applicant described

In TR Table 3-1, Conditions of Applicability 3 and 4 specify that for the TR to be applicable to a design, the applicant must demonstrate the following: •

•

The NRC staff determined that Conditions of Applicability 3 and 4, as stated above, are consistent with the staff guidance in NUREG-0800, Section 19.3, “Regulatory Treatment of Non-Safety Systems (RTNSS) for Passive Advanced Light Water Reactors,” and, therefore, if a design met these conditions, Class 1E power would not be required for monitoring SFP conditions. 3.2 Safe Shutdown, Core Cooling, and Reactor Coolant Pressure Boundary Integrity The NRC staff used the review guidance in the NUREG-0800 to identify the Commission’s regulations associated with safe shutdown, core cooling, and RCPB integrity. In accordance with 10 CFR 52.47(a)(3)(i), the staff identified, as minimum requirements, GDC 10, 15, 20, 26, 27, and 34 and 10 CFR 50.46 as associated with safety-related SSCs (in accordance with the definition in 10 CFR 50.2) that need to be addressed by the conditions of applicability in TR Table 3-1. Condition of Applicability I.1.a, and Condition of Applicability I.1.c.,

require, in part,

The NRC staff finds these requirements to be consistent with GDC 20. Accordingly, the NRC staff finds that Conditions of Applicability I.1.a and I.1.c are necessary and sufficient for determining that no Class 1E power is required to satisfy GDC 20. Condition of Applicability I.1.b states,

19

The NRC staff describes safe-shutdown requirements in SECY-94-084. In SRM-SECY-94-084, the Commission approved the staff’s recommendation on safe-shutdown requirements. SECY-94-084 clarifies the conditions that constitute a safe-shutdown condition as reactor subcriticality, decay heat removal, and radioactive material containment. Additionally, SECY-94-084 states that an appropriate safety analysis can be used to demonstrate passive system capabilities to bring the plant to a safe, stable condition and to maintain this condition. The staff’s views on safe shutdown were not changed in SRM-SECY-95-132 (updating the Commission on matters in SECY-94-084). TR Appendices B and D provide clarifying examples to illustrate how the conditions of applicability can be demonstrated. The examples did not include a quantitative safety analysis to demonstrate the ability to insert sufficient negative reactivity during and following a DBE to achieve and maintain safe shutdown. This omission caused the NRC staff to question the interpretation of safe shutdown as applied to Condition of Applicability I.1.b. Accordingly, the NRC staff issued RAI 08.03.02-05, dated October 7, 2016 (ADAMS Accession No. ML16281A298), asking the applicant to (1) specify the criteria that constitute a safe shutdown as applied to Condition of Applicability I.1.b, and (2) describe how a future applicant for a passive plant will demonstrate that electric power is not necessary to achieve and maintain a safe shutdown for a minimum of 72 hours. In its December 5, 2016, response (ADAMS Accession No. ML16340D339), NuScale stated that the criteria that constitute a safe shutdown are subcriticality and decay heat removal in order to maintain fuel clad integrity (radioactive material containment). The NRC staff finds this response acceptable because it is more restrictive than the criteria in SECY-94-084. The applicant’s response to RAI 08.03.02-05 further discussed the following approach to demonstrating Condition of Applicability I.1.b:

…an applicant will evaluate the reactivity control systems to ensure sufficient shutdown function capability and evaluate the decay heat removal system to ensure sufficient heat removal capability. To ensure that safe shutdown capability is sufficient to address the safety issue of heat removal reliability, a probabilistic risk assessment is used to ensure that the reliability of systems used to achieve and maintain safe shutdown supports conformance to the commission’s safety goal guidelines.

The applicant further explained that safety analyses of DBEs (as typically presented in Chapter 15 of a final safety analysis report (FSAR)) may not be suitable for demonstrating the ability to achieve and maintain a safe shutdown following a DBE. Specifically, the applicant’s response stated the following:

Conservative assumptions are applied to Chapter 15 safety analysis of DBEs appropriate for the intended purpose of ensuring appropriate margins to protect fuel integrity and core coolability. Although these safety analyses can be used to demonstrate adequate shutdown capability per SECY-94-084, application of the same conservative assumptions may lead to excessive margin with respect to shutdown capability.

20

The NRC staff previously communicated positions on shutdown margin during and following DBEs in letters discussing GDC 26 and 27, dated December 5, 2016 (ADAMS Accession No. ML16292A589), and September 8, 2016 (ADAMS Accession No. ML16116A083), respectively. These letters clarify that shutting down the reactor and maintaining a subcritical reactor are safety functions considered in GDC 26 and 27, both of which require margin for malfunctions such as stuck rods. In the letter addressing GDC 27, the NRC staff stated the following:

Criterion 27 requires that the reactor be reliably controlled and that the reactor achieve and maintain a safe, stable condition, including subcriticality beyond the short term, using only safety related equipment following a postulated accident with margin for stuck rods.

Based on the shutdown margin requirements of GDC 26 and 27, the NRC staff established Condition 4.5 to require a demonstration or appropriate justification of shutdown margin. Based on the applicant’s criteria for safe shutdown and pursuant to Condition 4.5, the NRC staff finds that Condition of Applicability I.1.b is necessary and sufficient for determining that no Class 1E power is required to satisfy GDC 26 and 27. Condition of Applicability I.1.c,

is a high-level requirement associated with core cooling. GDC 10, 34, and 35 and 10 CFR 50.46 are design requirements associated with safety-related SSCs that perform core cooling functions. In accordance with the requirements in 10 CFR 50.34, “Contents of Applications; Technical Information”; 10 CFR 52.47, “Contents of Applications; Technical Information”; and 10 CFR 52.79, “Contents of Applications; Technical Information in Final Safety Analysis Report,” applicants are required to provide a description and analysis of the safety-related SSCs credited to perform core cooling functions, with emphasis upon performance requirements. The information provided by an applicant under these regulations must be sufficient to demonstrate compliance with GDC 10, 34, and 35 and 10 CFR 50.46. Additionally, an applicant referencing the TR is required to perform these evaluations to show that safety functions will be accomplished in the absence of electrical power to demonstrate compliance with Condition of Applicability I.1.c. Accordingly, the NRC staff finds that Condition of Applicability I.1.c is necessary and sufficient for determining that Class 1E power is not required to satisfy GDC 10, 34, and 35 and 10 CFR 50.46. Condition of Applicability I.1.g states,

This statement supports Condition of Applicability I.1, which states,

TR Appendices B and D provide clarifying examples to illustrate how the conditions

of applicability can be demonstrated. The example safety analysis in Appendix D shows that the example passive plant response to an AOO includes establishing a direct coolant flowpath between the reactor core and the containment, thereby removing a fission product barrier. This caused the NRC staff to question whether Condition of Applicability I.1.g is sufficient for demonstrating RCPB integrity. Accordingly, the NRC staff issued RAI 08.03.02-06, dated October 7, 2016 (ADAMS Accession No. ML16281A298), asking the applicant to (1) specify the criteria that constitute RCPB integrity as applied to Condition of Applicability I.1, and (2) explain why the removal of a fission product barrier during an AOO is not considered an event escalation.

21

In its December 5, 2016, response (ADAMS Accession No. ML16340D339), NuScale stated that a loss of RCPB integrity involves a mechanical failure in an RCPB component, but it does not include the opening of a valve. The applicant further stated that considering the RCPB to be lost when a valve opens is problematic because (1) it would preclude advanced designs that offer improvements in safety by relying on valves to depressurize the reactor coolant system for safe shutdown, (2) it is not consistent with the licensing basis for PWRs and boiling-water reactors (BWRs), as these designs rely on safety relief valves for overpressure protection, and (3) the GDC address maintaining structural integrity of RCPB components rather than preventing the opening of valves to allow fluid to pass into or out of the RCPB. Additionally, the applicant stated that opening a valve to depressurize the reactor coolant system and establish long-term cooling is not considered a removal of a fission product barrier, and thus not event escalation, because the functions of the reactor coolant system barrier are not lost. The applicant further stated that events that do not result in unacceptable consequences or significantly increase the risk for radiological release do not challenge the intent of the nonescalation criterion specified in NUREG-0800, Section 15.0, “Introduction—Transient and Accident Analyses.” The NRC staff’s evaluation of the applicant’s response considered the examples from operating PWRs and BWRs. The applicant’s response included examples in which valves connected to the reactor coolant system opened and allowed fluid to pass through the RCPB and included the opening of safety relief valves, shutdown cooling, and the reactor core isolation cooling system in BWRs. The NRC staff finds these examples to differ from the scenario that was the basis for RAI 08.03.02-06. In particular, the staff identifies that a rapid discharge of reactor coolant directly to the containment atmosphere, in response to an AOO, can result in significant pressurization of the containment, which is required to retain coolant and establish a return path to the reactor pressure vessel. The AOO scenario in TR Appendix D appears to rely on the containment to retain the reactor coolant necessary to ensure fuel cladding integrity during an AOO. Because an AOO, by definition, is expected to occur one or more times during the life of the nuclear power plant, the NRC staff is concerned that such reliance upon the containment may not be consistent with the underlying defense-in-depth purpose of GDC 15, which expects the RCPB to remain available as a fission product barrier during AOOs. Accordingly, the NRC staff established Condition 4.4 on the TR to address reliability requirements for the systems necessary to retain reactor coolant within the RCPB. Condition 4.4 requires a probabilistic determination of the expected frequency of ECCS actuation during AOO mitigation (e.g., dc power system failure that causes ECCS actuation, ECCS pilot valve failure, spurious ECCS actuation). Opening of the ECCS valves during normal, planned plant operations, including recovery from an AOO, is acceptable once a safe, stable state has been established. Based on the overpressure protection of the RCPB and pursuant to Condition 4.4, the NRC finds that Condition of Applicability I.1.g is necessary and sufficient for determining that Class 1E power is not required to satisfy GDC 15.

3.3 Containment Isolation TR Condition of Applicability I.1.d specifies that for

The provisions in GDC 54, 55, 56, and 57 in part require containment isolation capabilities. Based on consideration of the relevant GDC above, the staff determined that a plant design that is able to

22

satisfy Condition I.1.d should be able to meet the minimum design requirements in GDC 54, 55, 56, and 57. The NRC staff finds that the condition is necessary to enable the staff to determine that Class 1E electrical power is not required to achieve the containment isolation function. 3.4 Containment Integrity TR Condition of Applicability I.1.e specifies that for

The

provisions in GDC 16, 38, 41, and 50 in part require that the containment safety function can be achieved and maintained during DBEs. The provisions in 10 CFR 50.44 address the control of combustible gases in the containment. Based on consideration of the relevant GDC and 10 CFR 50.44, the staff determined that a plant design that is able to satisfy Condition of Applicability I.1.e should be able to meet the minimum design requirements in GDC 16, 38, 41, and 50 and 10 CFR 50.44. The staff finds that the condition is necessary to enable the staff to determine that Class 1E electrical power is not required to assure that containment integrity is achieved and maintained. 3.5 Fission Product Control TR Condition of Applicability I.1.f specifies that for

The provisions in GDC 41 in part require systems to control fission products. Based on consideration of the relevant GDC and applicable guideline exposure requirements, the staff determined that a plant design that is able to satisfy Condition of Applicability I.1.f should be able to meet the minimum design requirements in GDC 41 and applicable guideline exposure requirements. The staff finds that the condition is necessary to enable the staff to determine that Class 1E electrical power is not required to satisfy GDC 41 and the applicable guideline exposures in 10 CFR 100.21, 10 CFR 50.34(a)(1)(ii)(D), and 10 CFR 52.47(a)(2)(iv). 3.6 Control Room Habitability TR Condition of Applicability I.5 specifies that electrical power is not necessary

The provisions in GDC 19 in part require that a control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including LOCAs. Based on consideration of the relevant GDC, the staff determined that a plant design that is able to satisfy Condition of Applicability I.5 should be able to meet the minimum design requirements in GDC 19. The staff finds that the condition is necessary to enable the staff to determine that Class 1E electrical power is not required to satisfy GDC 19. 3.7 Cooling for Building Areas Containing Safety-Related Equipment TR Condition of Applicability I.6 specifies that

23

The

provisions in 10 CFR 50.63 in part require that the reactor core and associated coolant, control, and protection systems, including station batteries and any other necessary support systems, must provide sufficient capacity and capability to ensure that the core is cooled and appropriate containment integrity is maintained in the event of a station blackout for the specified duration. Based on consideration of the 10 CFR 50.63 requirement, the staff determined that a plant design that is able to satisfy Condition of Applicability I.5 should be able to meet the requirements in 10 CFR 50.63. The staff finds that the condition is necessary to enable the staff to determine that Class 1E electrical power is not required to satisfy 10 CFR 50.63. 3.8 Building Ventilation TR Condition of Applicability I.7 specifies that

The provisions in GDC 61 in part require that fuel storage and handling, radioactive waste, and other systems that may contain radioactivity shall be designed to assure adequate safety under normal and postulated accident conditions. Based on consideration of the relevant GDC and the applicable guideline exposure requirements, the staff determined that a plant design that is able to satisfy Condition of Applicability I.7 should be able to meet the minimum design requirements in GDC 61 and applicable guideline exposure requirements. The NRC staff finds that the condition is necessary to enable the staff to determine that Class 1E electrical power is not required to satisfy GDC 61 and the applicable guideline exposures in 10 CFR 100.21, 10 CFR 50.34(a)(1)(ii)(D), and 10 CFR 52.47(a)(2)(iv). 3.9 Emergency Lighting TR Section 3.2.2, “Emergency Lighting,” states that the highly reliable dc electrical system provides power to portions of the emergency lighting system, and that the emergency lighting system is classified as non-Class 1E. Additionally, TR Condition of Applicability II.3 (Section II of Table 3-1) specifies that the applicant’s emergency lighting capability

The NRC staff finds that TR Condition of Applicability II.3 is consistent with the NRC staff’s guidance on the classification of the emergency lighting system as non-Class 1E and, therefore, is acceptable. 4.0 Limitations and Conditions In its letter dated July 26, 2017 (ADAMS Accession No. ML17205A380), the Advisory Committee on Reactor Safeguards indicated that TR-0815-16497-P, Revision 1, is acceptable for use only as a reference document for the NuScale plant electrical systems design subject to the staff limitations and conditions. The staff responded to the committee on September 11, 2017 (ADAMS Accession No. ML17221A058), agreeing with its recommendation. Therefore, the NRC staff’s conclusions on this TR are limited to the NuScale passive nuclear plant design.

24

If NuScale chooses to incorporate by reference TR-0815-16497 as part of its application, it must demonstrate that the reactor design meets all the conditions of applicability in Table 3-1 and all the augmented design, qualification, and QA provisions in Table 3-2. Additionally, any applicant referencing this TR must take the following actions: 4.1 Address the guidance in RG 1.155, Appendix A, in sufficient detail to enable the

NRC staff to verify that the relevant QA program would meet or exceed the guidance in RG 1.155.

4.2 Confirm that the VRLA batteries and their structures are seismic Category 1. To provide reasonable assurance that the VRLA batteries will perform as intended, an applicant that references the TR shall provide a COL action item to support that the VRLA batteries and their structures are seismic Category 1. A qualification testing plan includes environmental and seismic qualification and a technical functional requirement for VRLA batteries to show they can perform as intended.

4.3 Demonstrate that operator actions are not necessary to ensure the performance of safety-related functions for any postulated DBE (i.e., the design does not include Type A variables as defined in IEEE Std. 497-2002, as modified in RG 1.97, Regulatory Position C.4), as presented in Chapter 15 of its FSAR and the human factors analysis in Chapter 18 of its FSAR.

4.4 Evaluate the frequency for which a combination of an AOO and an actuation of

the NuScale ECCS is realistically expected to occur, and show that such a combination of events is not expected to occur during the lifetime of the module.

4.5 Demonstrate that the reactor can be brought to a safe shutdown using only safety-related equipment in the absence of electrical power following a DBE, with margin for stuck rods. Alternatively, an applicant addressing this condition may provide justification, for NRC review, for a less restrictive approach.

5.0 Conclusions The NRC staff approves the use of NuScale TR-0815-16497 as a reference document only to the NuScale passive nuclear plant design, subject to the conditions and limitations specified in Section 4.0 of this safety evaluation report. Specifically, based on its review of TR-0815-16497, the NRC staff finds that if the NuScale reactor design can meet the conditions of applicability and the augmented design, qualification, and QA provisions, Class 1E power sources would not be necessary. This approval of the concepts discussed in the TR does not constitute approval of any specific design. Any applicant referencing this TR in support of a design other than the NuScale passive nuclear plant design must submit information, for NRC staff review, that justifies the applicability of this TR, or a variation of it, to the respective design.